/usr/lib/nagios/plugins/pmp-check-mysql-file-privs is in nagios-plugins-contrib 21.20170222.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 | #!/bin/sh
# ########################################################################
# This program is part of $PROJECT_NAME$
# License: GPL License (see COPYING)
# Authors:
# Baron Schwartz
# ########################################################################
# ########################################################################
# Redirect STDERR to STDOUT; Nagios doesn't handle STDERR.
# ########################################################################
exec 2>&1
# ########################################################################
# Set up constants, etc.
# ########################################################################
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4
# ########################################################################
# Run the program.
# ########################################################################
main() {
# Get options
for o; do
case "${o}" in
-c) shift; OPT_CRIT="${1}"; shift; ;;
--defaults-file) shift; OPT_DEFT="${1}"; shift; ;;
-g) shift; OPT_UNIX_GROUP="${1}"; shift; ;;
-H) shift; OPT_HOST="${1}"; shift; ;;
-l) shift; OPT_USER="${1}"; shift; ;;
-L) shift; OPT_LOPA="${1}"; shift; ;;
-p) shift; OPT_PASS="${1}"; shift; ;;
-P) shift; OPT_PORT="${1}"; shift; ;;
-S) shift; OPT_SOCK="${1}"; shift; ;;
-u) shift; OPT_UNIX_USER="${1}"; shift; ;;
-w) shift; OPT_WARN="${1}"; shift; ;;
--version) grep -A2 '^=head1 VERSION' "$0" | tail -n1; exit 0 ;;
--help) perl -00 -ne 'm/^ Usage:/ && print' "$0"; exit 0 ;;
-*) echo "Unknown option ${o}. Try --help."; exit 1; ;;
esac
done
OPT_UNIX_GROUP="${OPT_UNIX_GROUP:-mysql}"
OPT_UNIX_USER="${OPT_UNIX_USER:-mysql}"
if [ -e '/etc/nagios/mysql.cnf' ]; then
OPT_DEFT="${OPT_DEFT:-/etc/nagios/mysql.cnf}"
fi
if is_not_sourced; then
if [ -n "$1" ]; then
echo "WARN spurious command-line options: $@"
exit 1
fi
fi
# Set the exit status in case there are any problems.
NOTE="UNK could not determine the datadir location."
# Set up files to hold one or more data directory locations.
local TEMP=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
local DATADIRS=$(mktemp -t "${0##*/}.XXXXXX") || exit $?
trap "rm -f '${TEMP}' '${DATADIRS}' >/dev/null 2>&1" EXIT
# If any connection option was given, then try to log in to find the datadir.
if [ "${OPT_DEFT}${OPT_HOST}${OPT_USER}${OPT_PASS}${OPT_PORT}${OPT_SOCK}" ]; then
# If this fails (e.g. we can't log in), then there will be no line in the
# file, and later we won't change the exit code / note away from "UNK".
mysql_exec "SELECT IF(@@datadir LIKE '/%', @@datadir, CONCAT(@@basedir, @@datadir))" >> "${DATADIRS}"
else
# Find all MySQL server instances.
for pid in $(_pidof mysqld); do
ps -p ${pid} -o pid,command | grep "${pid}" >> "${TEMP}"
done
# The ${TEMP} file may now contain lines like the following sample:
# 13822 /usr/sbin/mysqld --defaults-file=/var/lib/mysql/my.cnf \
# --basedir=/usr --datadir=/var/lib/mysql/data/ \
# --pid-file=/var/run/mysqld/mysqld.pid \
# --socket=/var/run/mysqld/mysqld.sock
# Now the task is to read find any reference to a --datadir option.
# We store these into the $DATADIRS temp file.
# TODO: maybe in the future we can detect the user/group under which the
# process runs, and assume that is the right value, rather than defaulting
# to 'mysql'.
while read pid command; do
if echo "${command}" | grep datadir >/dev/null 2>&1; then
# Strip off everything up to and including --datadir=
command="${command##*--datadir=}"
# Strip off any options that follow this, assuming that there's not
# a space followed by a dash in the datadir's path.
echo "${command%% -*}" >> "${DATADIRS}"
fi
done < "${TEMP}"
fi
WRONG=""
NOTE2=""
> ${TEMP}
while read datadir; do
FILES="$(find "${datadir}" \! -group "${OPT_UNIX_GROUP}" -o \! -user "${OPT_UNIX_USER}" 2>>${TEMP})"
if [ "${FILES}" ]; then
WRONG=1
NOTE2="${NOTE2:+${NOTE2} }${FILES}"
fi
NOTE="OK all files/directories have correct ownership."
done < "${DATADIRS}"
if [ -s "${TEMP}" ]; then
NOTE="UNK `cat ${TEMP}`"
elif [ "${WRONG}" ]; then
if [ "${OPT_CRIT}" ]; then
NOTE="CRIT files with wrong ownership: ${NOTE2}"
else
NOTE="WARN files with wrong ownership: ${NOTE2}"
fi
fi
echo $NOTE
}
# ########################################################################
# Execute a MySQL command.
# ########################################################################
mysql_exec() {
mysql ${OPT_DEFT:+--defaults-file="${OPT_DEFT}"} \
${OPT_LOPA:+--login-path="${OPT_LOPA}"} \
${OPT_HOST:+-h"${OPT_HOST}"} ${OPT_PORT:+-P"${OPT_PORT}"} \
${OPT_USER:+-u"${OPT_USER}"} ${OPT_PASS:+-p"${OPT_PASS}"} \
${OPT_SOCK:+-S"${OPT_SOCK}"} -ss -e "$1"
}
# ########################################################################
# A wrapper around pidof, which might not exist. The first argument is the
# command name to match.
# ########################################################################
_pidof() {
if ! pidof "${1}" 2>/dev/null; then
ps axo pid,ucomm | awk -v comm="${1}" '$2 == comm { print $1 }'
fi
}
# ########################################################################
# Determine whether this program is being executed directly, or sourced/included
# from another file.
# ########################################################################
is_not_sourced() {
[ "${0##*/}" = "pmp-check-mysql-file-privs" ] || [ "${0##*/}" = "bash" -a "$_" = "$0" ]
}
# ########################################################################
# Execute the program if it was not included from another file.
# This makes it possible to include without executing, and thus test.
# ########################################################################
if is_not_sourced; then
OUTPUT=$(main "$@")
EXITSTATUS=$STATE_UNKNOWN
case "${OUTPUT}" in
UNK*) EXITSTATUS=$STATE_UNKNOWN; ;;
OK*) EXITSTATUS=$STATE_OK; ;;
WARN*) EXITSTATUS=$STATE_WARNING; ;;
CRIT*) EXITSTATUS=$STATE_CRITICAL; ;;
esac
echo "${OUTPUT}"
exit $EXITSTATUS
fi
# ############################################################################
# Documentation
# ############################################################################
: <<'DOCUMENTATION'
=pod
=head1 NAME
pmp-check-mysql-file-privs - Alert if MySQL data directory privileges are wrong.
=head1 SYNOPSIS
Usage: pmp-check-mysql-file-privs [OPTIONS]
Options:
-c CRIT Critical threshold; makes a privilege issue critical.
--defaults-file FILE Only read mysql options from the given file.
Defaults to /etc/nagios/mysql.cnf if it exists.
-g GROUP The Unix group who should own the files; default mysql.
-H HOST MySQL hostname.
-l USER MySQL username.
-L LOGIN-PATH Use login-path to access MySQL (with MySQL client 5.6).
-p PASS MySQL password.
-P PORT MySQL port.
-S SOCKET MySQL socket file.
-u USER The Unix user who should own the files; default mysql.
-w WARN Warning threshold; ignored.
--help Print help and exit.
--version Print version and exit.
Options must be given as --option value, not --option=value or -Ovalue.
Use perldoc to read embedded documentation with more details.
=head1 DESCRIPTION
This Nagios plugin checks to make sure that the MySQL data directory, and its
contents, is owned by the correct Unix user and group. If the ownership is
incorrect, then the server might fail due to lack of permission to modify its
data. For example, suppose a system administrator enters a database directory
and creates a file that is owned by root. Now a database administrator issues a
DROP TABLE command, which fails because it is unable to remove the file and thus
the non-empty directory cannot be removed either.
The plugin accepts the -g and -u options to specify which Unix user and group
should own the data directory and its contents. This is usually the user account
under which MySQL runs, which is mysql by default on most systems. The plugin
assumes that user and group by default, too.
The plugin accepts the -w and -c options for compatibility with standard Nagios
plugin conventions, but they are not based on a threshold. Instead, the plugin
raises a warning by default, and if the -c option is given, it raises an error
instead, regardless of the option's value.
By default, this plugin will attempt to detect all running instances of MySQL,
and verify the data directory ownership for each one. It does this purely by
examining the Unix process table with the C<ps> tool. However, in some cases
the process's command line does not list the path to the data directory. If the
tool fails to detect the MySQL server process, or if you wish to limit the check
to a single instance in the event that there are multiple instances on a single
server, then you can specify MySQL authentication options. This will cause the
plugin to skip examining the Unix processlist, log into MySQL, and examine the
datadir variable from SHOW VARIABLES to find the location of the data directory.
In case an user you are calling this plugin from has no permissions to examine
the datadir the plugin raises an unknown with the explanation.
=head1 PRIVILEGES
This plugin executes the following commands against MySQL:
=over
=item *
C<SELECT> the MySQL system variables C<@@datadir> and C<@@basedir>.
=back
This plugin executes the following UNIX commands that may need special privileges:
=over
=item *
ps
=item *
find C<datadir>
=back
The plugin should be able to either get variables from MySQL or find mysqld
PID using C<ps> command.
On BSD, if C<sysctl> option C<security.bsd.see_other_uids> is set to 0, C<ps>
will not return mysqld PID if the plugin run from non-root user.
Also an user you run the plugin from should be able to access MySQL datadir
files, so you may want to add it into mysql unix group etc.
=head1 COPYRIGHT, LICENSE, AND WARRANTY
This program is copyright 2012-$CURRENT_YEAR$ Baron Schwartz, 2012-$CURRENT_YEAR$ Percona Inc.
Feedback and improvements are welcome.
THIS PROGRAM IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, version 2. You should have received a copy of the GNU General
Public License along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
=head1 VERSION
$PROJECT_NAME$ pmp-check-mysql-file-privs $VERSION$
=cut
DOCUMENTATION
|